From: kettenis <kettenis@openbsd.org>
Date: Sun, 1 May 2022 11:03:48 +0000 (+0000)
Subject: Prevent out-of-bounds array access with binaries that use unsupported
X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=eabe4e0542e0f6619cd216f00a23ab2aa0cc008a;p=openbsd

Prevent out-of-bounds array access with binaries that use unsupported
relocations.

ok guenther@
---

diff --git a/libexec/ld.so/amd64/rtld_machine.c b/libexec/ld.so/amd64/rtld_machine.c
index 6c8e9da1cb3..d2bf67c04c7 100644
--- a/libexec/ld.so/amd64/rtld_machine.c
+++ b/libexec/ld.so/amd64/rtld_machine.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: rtld_machine.c,v 1.40 2022/01/08 06:49:41 guenther Exp $ */
+/*	$OpenBSD: rtld_machine.c,v 1.41 2022/05/01 11:03:48 kettenis Exp $ */
 
 /*
  * Copyright (c) 2002,2004 Dale Rahn
@@ -75,6 +75,8 @@
 #include "util.h"
 #include "resolve.h"
 
+#define nitems(_a)     (sizeof((_a)) / sizeof((_a)[0]))
+
 int64_t pcookie __attribute__((section(".openbsd.randomdata"))) __dso_hidden;
 
 /*
@@ -132,7 +134,8 @@ static const int reloc_target_flags[] = {
 #define RELOC_USE_ADDEND(t)		((reloc_target_flags[t] & _RF_A) != 0)
 #define RELOC_TARGET_SIZE(t)		((reloc_target_flags[t] >> 8) & 0xff)
 #define RELOC_VALUE_RIGHTSHIFT(t)	(reloc_target_flags[t] & 0xff)
-#define RELOC_ERROR(t)			(reloc_target_flags[t] & _RF_E)
+#define RELOC_ERROR(t) \
+	((t) >= nitems(reloc_target_flags) || (reloc_target_flags[t] & _RF_E))
 
 static const Elf_Addr reloc_target_bitmask[] = {
 #define _BM(x)  (~(Elf_Addr)0 >> ((8*sizeof(reloc_target_bitmask[0])) - (x)))